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DETAILED ACTION 

I . This office action is in reply to an amendment filed on December 03, 2007. Claims 1 , 2, 

II, 18, 29 and 30 have been amended. Claims 1-39 are pending. 

Response to Arguments 

Applicant's arguments with respect to claims 1-39 have been considered but are moot in 
view of the new ground(s) of rejection (See claim rejections below for citations and explanation 
for newly added limitations). Examiner would also point out that, after further consideration, 
Claims 18-28 are found to be directed to a non-statutory subject matter and therefore are 
rejected under 35 USC 101 (see claim rejection below). 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 18-28 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claims 18-28 are directed to a system for protecting a distributed application user. The 
examiner respectfully asserts that the claimed subject matter does not fall within the statutory 
classes listed in 35 USC 101. Claim 18 recites a security, association and command checking 
system, defined in the specification to be implemented through software [see specification 
pages 13-14, paragraph 0031] and therefore, the recited claims are directed to functional 
descriptive material. Generally functional descriptive material (i.e., software) is statutory when it 
is stored on a tangible computer readable storage medium. Claim 18 is rejected as being 
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directed to a functional descriptive material. Claims 19-28 depend from claim 18 and therefore 
are rejected under the same rationale. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-39 are rejected under 35 U.S.C. 103(a) as being unpatentable over Levergood 

et al. US 5,708,780 (hereinafter Levergood) in view of applicant's own admitted prior art 

(hereinafter AAPA) 

As per claims 1, 3, 8-1 1, 18, 20, 24, 26-29, 31 and 35, Levergood teaches a method for 
protecting a distributed application user, comprising: 

providing a distributed application on a server (i.e., web-pages on a server) [column 5, 
lines 17-41]; 

authenticating a user of the distributed application [column 5, lines 41-50 and column 6, 
lines 27-50]; 

determining, on the server, a security value for the authenticated user (i.e., SID is 
generated for an authenticated user) [column 5, lines 41-64 and column 6, lines 53-column 7, 
line 13]; 

associating the security value with a set of uniform resource locators (URLs) 
corresponding to a set of commands of the distributed application [column 5, line 49-column 6, 
line 4 and column 7, lines 14-31]; 
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communicating the security value to a client operated by the authenticated user [column 

5, line 49-column 6, line 4 and column 7, lines 14-31]; 

receiving one of the set of URLs on the server from the client [column 5, line 64-column 

6, line 16 and column 7, lines 14-21]; and 

checking the one URL for the security value (i.e., check if SID is attached to the URL) 
[column 5, lines 41-49 and column 6, line 65-column 6, lines 26 and column 7, lines 35-47], and 
returning an error message to the authenticated user if the security value is not found with the 
one command, wherein the error message prompts the authenticated user for confirmation 
before the one command can be executed (i.e., if SID is not detected with the URL, redirecting it 
back to the client and requesting the client to submit authentication credentials again for 
validation/confirmation column 5, lines 46-50 and column 7, lines 41-49). 

Levergood teaches associating the security value with a set of uniform resource locators 
(URLs) corresponding to a set of commands of the distributed application [column 5, line 49- 
column 6, line 4 and column 7, lines 14-31], but is silent on a command comprising a command 
that can be used in a malicious attack against authenticated user. However, AAPA teaches 
associating the security value with a set of uniform resource locators (URLs) corresponding to a 
set of commands of the distributed application, wherein each command comprises a command 
that can be used in malicious attack against authenticated user [see specification pages 1-2 
paragraphs 2-4]. Therefore, it would have been obvious to one having ordinary skill in the art at 
the time of applicant's invention to employ the teachings of AAPA within the system of 
Levergood in order to enhance the security of the system. 
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As per claims 2, 12, 19 and 30, AAPA further teaches the method, wherein the one 
command comprises a command to delete files of the authenticated user [see specification 
pages 1-2 paragraphs 2-4]. 

As per claims 4, 21 and 32, Levergood further teaches the method wherein the security 
value is a pseudo-random number (i.e., session identifier including user identifier, column 3, 
lines 34-41). 

As per claims 5, 17, 22 and 33, Levergood further teaches the method further 
comprising storing the security value on the server [column 6, lines 5-23]. 

As per claims 6, 13, 23 and 34, Levergood further teaches the method further 
comprising: associating the security value with session information corresponding to the 
authenticated user, and communicating the session information and the security value to the 
authenticated user [column 6, lines 5-23 and column 7, lines 14-21]. 

As per claims 7, 25 and 36, Levergood further teaches the method wherein the 
authenticated user operates a client that communicates with the server [column 6, lines 22-26]. 

As per claims 14 and 37, Levergood further teaches the method wherein the associating 
step comprises appending the security value to a set of URLs corresponding to a set of 
commands of the distributed application [column 5, line 49-column 6, line 4 and column 7, lines 
14-31]. 
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As per claims 15 and 38, Levergood further teaches the method wherein the one URL is 
pre-constructed on the server, and wherein client receives the one URL and the associated 
security value from the server [column 7, lines 14-33]. 

As per claims 16 and 39, Levergood further teaches the method wherein the one URL is 
constructed on the client, and wherein the associating step comprises, extracting the security 
value on the client, and appending the security value to the one URL [column 5, lines52-65]. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to BEEMNET W. DADA whose telephone number is (571 )272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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